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ABSTRACT .  We  introduce  a  new  class  of  public-key 
functions  involving  a  number  n  =  p-q  having  two 
large  prime  factors.  As  usual,  the  key  n  is  public, 
while  p  and  <1  are  the  private  key  used  by  the 
issuer  for  production  of  signatures  and  function 
inversion.  These  functions  can  be  used  for  all  the 
applications  involving  public-key  f unc t i ons^ p^opo sed 
by  Diffie  and  Heilman  i  nc  1  ud  i  ng  digitalized 

signatures.  We  prove  that  for  any  given  n,  if  we 
can  invert  the  function  y  =  (E^(x)  for  even  a  small 
percentage  of  the  values  y  then  we  can  factor  n  . 

Thus  as  long  as  factorization  of  large  numbers 

remains  practically  intractable,  for  appropriatly 

chosen  keys  not  even  a  small  percentage  of  signatures 

are  forgerable.  Breaking  the  RSA  function  — f-fr-355  is 

at  most  as  hard  as  factor i zat ion  , but  is  not  known  to 

be  equivalent  to  factorization  even  in  the  weak  sense 

that  ability  to  invert  all  function  values  entails  — ->  I 
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ability  to  factor  the  key.  Computation  time  for 
these  functions,  i.e.  signature  verification,  is 
several  hundred  times  faster  than  for  the  RSA  scheme, 
in  f-fir-Jr-}  Inversion  time,  using  the  private  key, 
is  comparable.  The  a  1  most -everywhere  intractability 
of  s i g na ture -forgery  for  our  functions  (on  the 
assumption  that  factoring  is  intractable)  is  of 
great  practical  significance  and  seems  to  be  the 


first  proved  result  of  this  kind. 


Key  words.  Public-key  functions.  Digitalized 
signatures.  Factorization.  Intractable  problems. 
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INTRODUCTION 


In  their  fundamental  paper  [  2]  pi f fie  and 
Heilman  have  shown  how  public  key  trap  door  functions 
can  be  employed  for  the  solution  of  various  problems 
arising  in  electronic  mail,  including  the  production 
of  digitalized  signatures.  An  example  of  a  public- 
key  function  usable  for  digitalized  signatures  was 
given  in  the  elegant  paper  [6  ]  by  Rivest,  Adelman, 
and  Shamir,  who  introduced  a  trap-door  one-way  function 
employing  a  number  n  factorable  into  a  product 
n  *  p-q  of  two  large  primes.  The  decoding  algorithm 
given  <n  [6]  for  this  function  requires  knowledge 
of  the  factors  p ,  q  of  n.  It  is,  however,  conceivable 
that  another  decoding  algorithm  exists  that  does  not 
involve  or  imply  factorization  of  n.  Thus,  breaking 
this  one-way  function  is  at  most  as  difficult  as 
factorization,  but  possibly  easier. 

We  present  a  different  public  key  function  which 
can  be  used  for  digitalized  signatures,  and  all  the 
other  applications,  in  the  same  way  as  the  above- 
mentioned  function.  The  function  in  [bj  is  1-1. 

Our  function  is  four  to  one,  but  this  causes  only 
slight  modifications  in  the  applications. 


For  this  new  function  we  can  prove  that  the 
ability  to  forge  signatures  or  decode  messages  is 
equivalent  to  the  ability  to  factor  large  numbers. 

In  fact,  for  any  given  n  ,  a  signature  forgery  or 
inversion  algorithm  effective  in  just  a  small 
percentage  of  all  cases,  say  one  case  in  a  thousand, 
already  leads  to  a  factorization  of  n  .  By 
inversion  we  mean  finding  for  a  number  y  in  the 
range  of  E  one  of  the  x  such  that  E(x)  =  y. 

In  view  of  the  present-day  intractability  of 
the  factor izat ion  problem,  this  fact  lends  substantial 
support  to  the  viability  of  our  public-key  function. 

As  long  as  it  is  impossible  in  practice  to  factor 
large  numbers,  it  will  be  impossible  for  a  fixed  key 
to  forge  signatures  even  for  a  small  percentage  of 
all  messages. 

The  fact  that  we  are  able  to  prove,  on  the 
assumption  that  factoring  is  hard,  that  for  our 
function,  for  a  fixed  key  n  whose  factorization 
is  not  given, inversion  must  be  hard  for  almost  all 
messages  is  of  great  significance.  For  other  trap 
door  functions  it  may  be  the  case  that  even  though 
worst  case  complexity  or  even  average  complexity 
are  high,  in  say  one  percent  of  cases  inversion  is 


easy.  From  a  commercial  point  of  view  this  would  pose 
an  unacceptable  risk.  For  example,  an  adversary  can 
randomly  search  by  computer  for  messages  useful  to 
him,  such  as  payment  i n s t rue t ions  ,  on  which  he  can 
forge  signatures.  To  the  best  of  our  knowledge,  we 
have  in  this  article  the  first  example  of  an  almost 
everywhere  difficult  problem  of  this  type. 

In  addition,  computation  time  for  this  function 
is  several  hundred  times  faster,  and  inversion 
when  p,q  are  known, is  about  eight  times  faster  than 
the  corresponding  algorithms  in  [6].  If  we  invert 
the  RSA  function  by  Chinese  Remaindering,  as  we  do 
here,  then  inversion  time  for  the  two  functions  are 
compara  bl e . 

Theorems  1  and  2  concerning  the  equivalence  of 
square-root  extraction  with  factor i zat ion  ,  are  perhaps 
also  of  independent  number-theoretic  interest. 

I .  THE  PUBLIC-KEY  FUNCTION 

Let  n  =  p-q  be  the  product  of  two  large  primes 
p,q,  and  let  0  b  <  n . 

DEFINITION  1  The  function  E  , (x)  is  defined  for 

n ,  b 

0  <  x<n  by  L  .lx)  x(x+b)  modn,  0  <  E  K(x)<n. 

.i ,  d  —  n  ,  o 

Computation  of  E(x),  for  fixed  n,b,  requires 
one  addition,  one  m-.’tiplication,  and  one  division  of 


x(x+b)  by  n  to  find  the  residue  E  .(x).  Note 

n ,  b 

that  only  the  public  key  n,b,  but  not  the  factorization 
n  =  p-q,  is  required  for  encoding. 

1.  INVERSION  ALGORITHMS 

Given  c  E  xlx+b)  modn,  we  want  to  find  the 
four  values  Oj<x^<n,  1  <_  i  ^  4  such  that  E(x.)  =  c. 
We  assume  of  course  that  the  private  key,  i.e.  the 
factors  of  n  ,  are  known. 

Throughout  this  paper  res(A.B)  will  denote  the 
residue  of  A  when  divided  by  B,  and  (A,B)  will 
denote  the  greatest  common  divisor  (g.c.d.)  of  A 
and  B . 

lhe  decoder,  who  is  the  issuer  of  the  public 
key  n,b,  knows  the  factorization  n  =  p-q.  Clearly, 
it  sufficies  to  solve  the  equation  x(x+b)  Ec 
separately  mod  p  and  mod q  and  then  find  a  solution 
mod  n  . 

Let  a  be  an  integer  so  that  a  e  l  mod  p  , 
a  =  0  mod  q  ,  and  b  satisfy  b  E  1  mod  q, 
b  =  mod  p  .  If  r  and  s  satisfy  the  congruence 

mod  p  and  mod  q  respectively,  then  z  =  ar  +  bs 
solves  the  congruence  mod  n  ,  and  x  =  res  (z,n) 
is  the  sought-after  solution. 


In  what  follows  let  p  be  a  fixed  prime.  We 
shall  understand  all  integers  a  to  be  residues 
modp,  i.e.,  0  <  a  <  p  .  For  d  a  quadratic 

residue  iq.r.)  modp,  ,"3  will  denote  any  one  of 

2 

the  two  integers  such  that  (*"3)  mod  p  ,  and 
-»d  will  denote  p  -  /d . 

To  solve 

2 

(1)  flx)  =  x‘“  +  bx-c  mod  p 

let  d  =  b/2  mod  p  then  (x  +  d)*"  c  +  d^niodp, 

2 

x  =  -  d  t  *'c  +  d  .  We  can  solve  the  equation  (1) 
as  soon  as  we  can  extract  square  roots  modp,  i.e., 
solve  y1-  -  m  -  0  mod  p  . 

Assume  first  that  p  -  4k  -  1  so  that  4;(p+l). 

D- 1 

.. 

Since  m  is  a  q.r.,  m  5  1  mod  p.  We  claim  that 

ptl 

(2)  <  =  ,  m  in  mod  p 

is  one  of  the  two  square  roots  of  m.  Namely, 

m  m*m  u  e  is  mod  p  . 

Thus  one  implementation  of  the  function  would  use  p 
and  q  such  that  p  q  3  mod  4,  and  the  decoding  algorithm 
(2). 

For  p  =  4k  +  1  we  directly  solve  the  equation  (1) 
by  a  probabilistic  algorithm.  This  is  a  special  case  of 
Berlekamp’s  root-finding  in  G F ( p )  algorithm  given  in  [1]. 


The  short  proof  given  here  is  taken  from  [5],  where 
generalizations  to  GF(pn)  appear.  If  the  roots  of  (1) 
are  a,  0e  G F ( p )  then  x*  +  b  x  -  c  -  (x  -  a)  (x  -  0)  The 

p-1 

* 

roots  in  GF(p)  of  the  polynomial  equation  x  ^  -  1  1  0 

are  exactly  the  quadratic  residues  j  1  GF(p)  .  Consequently, 
if  a  is  a  quadratic  residue  while  0  is  not,  then 


(x  -  1,  f  ( x) )  *  x  -  a,  so  that  a  and  subsequently 
B  *  -(b+a)  mod  p  are  readily  found. 

Assume  that  a  and  0  are  of  the  same  type,  i.e., 
both  quadratic  residues  (q.r.)  or  both  quadratic  non-resi¬ 
dues  mod  p,  and  that  a/0.  Let  0  <  0  <  p  then  a  +  0  and 
0  +  0  are  of  the  same  type  if  and  only  if  (a+0)/(0+0)  is 

a  q.r.  mod  p.  As  0  takes  all  values  0  v  5  >.  p  except 

0  =  -0,  the  quotient  (a+0)/(0+6)  takes  all  values 
0  £  >  <  p  except  >  =  1.  Thus  for  exactly  choices 

0,  a+0  and  0+0  will  not  be  of  the  same  type. 

Since  f ( x -  0 )  =  ( x -  a -  0 )  ( x - a -  0 ) ,  we  have  that  for  a 
random  choice  of  0  x  5  <  p,  with  probability  1/2 


(3) 


f  (  x-0 ) ) 


x  -  a  -  0  or  x  -  0  -  0 . 


Thus  on  the  average  two  values  of  0  have  to  be  tried  for 
finding  the  roots  of  (1). 


The  computation  of  the  g.c.d.  (3)  requires  0 ( 1  og 2  p ) 
operations  in  GF(p),  i.e.,  additions  and  multiplications 
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mod  p.  Namely,  by  essentially  rej)e^ted  squarings  start¬ 
ing  with  x,  compute  x  +  h  =  res(x  9  ,  f  ( x  -  6 )  )  .  Whenever 
a  quadratic  polynomial  is  encountered,  divide  by  f(x-<5) 
to  produce  a  linear  polynomial.  Note  that  x  is  a  formal 
variable  so  that  all  computations  involve  just  pairs  of 
residues  mod  p.  Now  by  (3)  ,  x  +  h  -  1  is  x  -  a  -  6  or 
x  -  0  -  6  ,  so  that  -6  -  h  +  1  is  a  root  of  (1). 

3.  USE  IN  SIGNATURES 

To  employ  E  for  signatures  the  signer  P  produces 
two  large  primes  p,q  by  use  of  one  of  the  pr i me- tes t i ng 
algorithms  [3,7].  He  forms  n  =  p*q,  chooses  a  number 
0  <  b  <  n  and  publicizes  the  pair  (n,b)  (but  not  the 
factors  p,q) . 

By  convention,  when  wishing  to  sign  a  given  message, 

M,P  adds  as  suffix  a  word  U  of  an  agreed  upon  length  k. 

The  choice  of  U  is  randomized  each  time  a  message  is  to 
be  signed.  The  signer  now  compresses  Mi  =  MU  by  a  hash¬ 
ing  function  to  a  word  C ( M  j )  =  c,  so  that  as  a  binary 
number  c  <  n;  see  [4].  The  computation  of  C(  )  is  publicly 
known,  so  that  c  =  C(Mj)  is  checkable  by  everybody. 

P  now  checks  whether  for  this  c  the  congruence 


(4) 


x(x+b)  =  c  mod  n 


is  solvable. 


By  the  analysis  of  Section  2,  this  congruence  is 
solvable  if  and  only  if  m  =  c  +  d2  is  a  q.r.  mod  p  and 
mod  q.  Thus  testing  the  solvability  of  (4)  amounts  to 
computing  the  Jacobi  Symbols  (^)  and  (^)  which  is 
essentially  a  g.c.d.  type  computation. 

If  congruence  (4)  is  not  solvable  then  P  picks  another 
random  Ui  and  tries  Ci  =  C ( MU  i ) .  The  expected  number  of 
tries  is  4.  When  for  some  U  the  congruence  (4)  is 
solvable  for  c  =  C(MU),  P  finds  a  solution  x. 

DEFINITION  2:  For  a  given  public  key  n,b  used  by  P  and 
an  agreed  upon  compressing  function  C(  )  and  integer  k, 
P's  signature  on  a  message  M  is  a  pair  U,x  where 
H ( U )  =  k  and  x(x  +  b)  =  C(MU)  mod  n. 

Anybody  can  check  P's  signature  by  computing 
c  =  C ( MU )  and  testing  whether  x(x+b)  e  c  mod  n. 

The  randomization  of  the  suffix  U  of  M  also  adds 
protection  against  possible  attacks  on  the  function  E. 
Without  the  suffix,  an  adversary  may  attempt  to  feed  to 
P  messages  M  for  his  signature,  hoping  to  learn  the 
factorization  of  n  from  the  solution  of  x(x+b)  h  C(M) 
mod  n  , which  will  be  produced  by  P  as  his  signature. 
Actually,  this  does  not  seem  a  serious  threat  because  of 
the  hashing  effected  by  C(M). 


However,  the  randomized  suffix  of  length  k  leads 

k 

to  essentially  2  possible  random  values  for  c  =  C ( MU ) . 
Thus  for,  say,  k  =  60,  the  adversary  has  no  effective 
control  over  the  congruence  (4)  that  P  will  solve. 

4.  INVERSION  IS  EQUIVALENT  TO  FACTORIZATION 

We  now  want  to  show  that  if  an  adversary  can  invert 
En  fj(x)  by  any  algorithm  then  he  can  factor  n.  By  invert¬ 
ing  we  mean  finding  for  y  one  of  the  four  x  such  that 
b(x)  =  y.  Finding  one  such  x  is  sufficient  for  the 
would  be  signature  forger,  so  that  we  want  to  show  that 
this  is  hard.  Thus  the  problem  of,  say,  forging  P's 
signatures  is  exactly  as  intractable  as  the  factorization 
of  a  number  n  which  is  a  product  of  large  primes.  As 
mentioned  in  the  Introduction,  the  scheme  in  [6]  is  at 
mo&t  as  safe  as  factorization  but  conceivably  easier  to 
crack . 

In  the  following  theorem  we  count  an  addition  of  num¬ 
bers  a,b,  £  n  as  one  operation. 

It  is  readily  seen  that  if  we  can  solve  (4)  for  fixed 
n,b  and  arbitrary  c  then  we  can  extract  square  roots, 
i.e.,  solve  y2  =  m  mod  n  whenever  a  solution  exists. 

Namely,  letting  b  =  2d  mod  n(n  is  odd)  and  in  =  c  +  d2 
mod  n,  (4)  turns  into 


x  2  +  2dx  +•  d :  ■  (  x  +  d )  ‘  m  mod  n. 

Thus  our  result  follows  from 

THEOREM  1:  Let  AL  be  an  algorithm  tor  finding  one  of 
the  solutions  of 

(5)  y2  m  mod  n 

whenever  a  solution  exists,  and  requiring  F(n)  steps. 

There  exists  an  algorithm  for  factoring  n  requiring 
2  F  (  n )  +  2 1 o g j n  steps. 

Ptoojj.  Assume  that  n  *  p •  q  is  a  product  of  two  primes, 
the  case  r e 1 e v a n t  for  E n  ^ .  The  proof  easily  extends  to 
the  general  case. 

For  any  0  v  k  v  n,  (k,n)  =  1,  there  are  exactly  four 
solutions  for  the  congruence 

y2  k2  mod  n. 

Namely,  let  res(k.p)  *  r,  res(k,q)  =  s  then  the  solutions 
y  of  this  congruence  satisfy  res(y,p)  <r  mod  p.res(y.q)  ■ 
*  ts  mod  g  and  each  of  the  four  sign  combinations  gives  rise 
to  a  different  solution.  Defining  for  0  <•  yt,y2  v  n,v(  \y; 
to  mean  y2  y2  mod  n,  we  see  that  this  equivalence  relation 
decomposes  the  set  0  <  y  *  n,  (y.n)  *  1  into  classes  each 
containing  four  elements. 

Denote  by  *in  the  solution  of  (5)  by  AL  for  any 
m,  (m,n)  *  1.  If  AL  produces  more  than  one  solution  then 
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the  factorization  algorithm  that  follows  is  even  further 
facilitated. 

Choose  a t  random  a  number  0  -  k  <  n.  If  (k,n)  /  1 
then  we  directly  q e t  a  factor  of  n .  In  practice,  this 
possibility  can  be  neglected.  Compute  k-’  m  mod  n. 

Compute  ki  •*  .m  by  AL  .  Now,  k  is  in  the  equ  i  va  1  ence 
class,  by  the  relation  of  kj.  In  a  random  choice  of 
0  v  k  v  n,  all  four  possible  choices  of  numbers  within 
any  class  are  equally  likely.  Hence  with  probability  1/C 

k  k i  mod  p ,  k  -  k i  mod  q 
0 '  k  -  k- »  mod  p,  k  k,  mod  q 

Therefore  with  probability  1/C 

(  6 )  (  k  -  k  t  .  n  1  p  o  r  q  . 

The  computation  of  *m  requires  F(n)  steps.  The 
computation  of  the  q . «.  .d.  (6)  requires  at  most  log>n 
subtractions  and  divisions  by  ,  of  numbers  smaller  than  n. 
Hence  the  ex p  e  c  t  e  d  n  u  m b  e  r  of  steps  is  .T  ( n  )  +  2  log  .  n  . 

If  we  count  h i t -  opera t i ons  then  subtraction  of  numbers 
smaller  than  n  requires  at  most  loq.-n  b  i  t -opera  1 1  ons 
and  the  bound  is  2 F ( n )  ♦  2 ( 1 o  g : n ) : . 

The  previous  theorem  may  be  strengthened  to  cover  the 
situation  that  for  the  given  key  En  ^  can  be  decoded  in 
just  a  small  percentage  of  all  cases. 


THEOREM  2:  If  AL  solves  (5)  in  F(n)  steps  for  1/e 
of  the  0  <  m  <  n ,  (m,n)  1  1,  for  which  (5)  has  a  solution, 
then  there  is  an  algorithm  for  factoring  n  requiring 
2eF(n)  +  2 1 og2  n  steps. 

Ptoofi.  As  in  the  proof  of  Theorem  1,  choose  a  0  <  k  <  n  at 
random  and  compute  kJ_m  mod  n.  Apply  AL  to  find  /m. 

If  the  computation  runs  more  than  F(n)  steps  abort  it 
and  choose  another  k.  Whenever  a  root  k!  =  /m  is  found, 
compute  (k-ki,n).  The  analysis  in  the  proof  of  Theorem  1 
implies  that  with  probability  1/2  each  such  try  produces 
a  factorization  of  n. 

The  expected  number  of  choices  of  k  leading  to  a  /m 
is  e  and  the  expected  number  of  A ucccaaca  of  AL  needed 
for  a  factorization,  is  2.  Thus  the  total  expected  number 
of  steps  is  2eF(n)  +  2 1 og2  n .  Note  that  we  embark  on  the 
second  phase  of  the  factorization  only  after  a  success  of 
Ak  in  finding  /m. 

If  for  example  e  =  1000,  and  F(n)  were  not  prohibi¬ 
tively  large,  then  an  adversary  could  factor  n  in 
2000  F(n)  +  21og2n  steps.  Consequently,  if  no  practical 
algorithm  for  factoring  n  is  pos s i bl e  .then  no  practical 
decoding  algorithm  could  work  in  even  1/1000  of  all  cases. 


_ t _ 


5.  GENERALIZATIONS 


The  above  method  of  construction  of  a  one-way  function 
can  be  extended  to  employ  polynomials  or  powers  of  x  of 
small  degrees  other  than  2. 

Assume  for  example  that  n  =  p*q,  where  p  and  q 
are  primes  of  the  form  3k  +  1 .  The  one-way  function  will 
be  E ( x )  5  x3mod  n.  The  decoding  is  effected  by  solving 
x 3  -  m  =  0  mod  p  and  mod  q  by  a  probabilistic  algorithm 
similar  to  the  one  used  in  Section  2.  Again  one  can  prove 
that  any  algorithm  for  extracting  cubic  roots  leads,  for  n 
of  the  above  form,  to  a  factorization  of  n. 

The  probability  that  x3  =  w  mod  n  is  solvable  for  a 
random  w  is  1/9.  Thus  for  utilization  in  signatures  the 
quadratic  scheme  seems  best. 
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